@bytebase/dbhub 0.17.0 → 0.19.0

package/dist/{chunk-YKDZH7G5.js → chunk-LUNM7TUY.js}

@@ -70,6 +70,9 @@ import { readFileSync, realpathSync, statSync } from "fs";
 import { homedir } from "os";
 import { join } from "path";
 import SSHConfig from "ssh-config";
+function getDefaultSSHConfigPath() {
+  return join(homedir(), ".ssh", "config");
+}
 var DEFAULT_SSH_KEYS = [
   "~/.ssh/id_rsa",
   "~/.ssh/id_ed25519",
@@ -296,7 +299,9 @@ var SSHTunnel = class {
           privateKey,
           targetConfig.passphrase,
           previousStream,
-          `jump host ${i + 1}`
+          `jump host ${i + 1}`,
+          targetConfig.keepaliveInterval,
+          targetConfig.keepaliveCountMax
         );
         console.error(`  \u2192 Forwarding through ${jumpHost.host}:${jumpHost.port} to ${nextHost.host}:${nextHost.port}`);
         forwardStream = await this.forwardTo(client, nextHost.host, nextHost.port);
@@ -322,7 +327,9 @@ var SSHTunnel = class {
       privateKey,
       targetConfig.passphrase,
       previousStream,
-      jumpHosts.length > 0 ? "target host" : void 0
+      jumpHosts.length > 0 ? "target host" : void 0,
+      targetConfig.keepaliveInterval,
+      targetConfig.keepaliveCountMax
     );
     this.sshClients.push(finalClient);
     return finalClient;
@@ -330,7 +337,7 @@ var SSHTunnel = class {
   /**
    * Connect to a single SSH host.
    */
-  connectToHost(hostInfo, password, privateKey, passphrase, sock, label) {
+  connectToHost(hostInfo, password, privateKey, passphrase, sock, label, keepaliveInterval, keepaliveCountMax) {
     return new Promise((resolve, reject) => {
       const client = new Client();
       const sshConfig = {
@@ -350,6 +357,17 @@ var SSHTunnel = class {
       if (sock) {
         sshConfig.sock = sock;
       }
+      if (keepaliveInterval !== void 0) {
+        if (Number.isNaN(keepaliveInterval) || keepaliveInterval < 0) {
+          const desc = label || `${hostInfo.host}:${hostInfo.port}`;
+          console.warn(
+            `Invalid SSH keepaliveInterval (${keepaliveInterval}) for ${desc}; keepalive configuration will be ignored.`
+          );
+        } else if (keepaliveInterval > 0) {
+          sshConfig.keepaliveInterval = keepaliveInterval * 1e3;
+          sshConfig.keepaliveCountMax = keepaliveCountMax ?? 3;
+        }
+      }
       const onError = (err) => {
         client.removeListener("ready", onReady);
         client.destroy();
@@ -488,7 +506,7 @@ var SSHTunnel = class {
 // src/config/toml-loader.ts
 import fs2 from "fs";
 import path2 from "path";
-import { homedir as homedir3 } from "os";
+import { homedir as homedir2 } from "os";
 import toml from "@iarna/toml";
 
 // src/config/env.ts
@@ -496,7 +514,6 @@ import dotenv from "dotenv";
 import path from "path";
 import fs from "fs";
 import { fileURLToPath } from "url";
-import { homedir as homedir2 } from "os";
 
 // src/utils/safe-url.ts
 var SafeURL = class {
@@ -955,7 +972,7 @@ function resolveSSHConfig() {
     sources.push("SSH_HOST from environment");
   }
   if (sshConfigHost && looksLikeSSHAlias(sshConfigHost)) {
-    const sshConfigPath = path.join(homedir2(), ".ssh", "config");
+    const sshConfigPath = getDefaultSSHConfigPath();
     console.error(`Attempting to parse SSH config for host '${sshConfigHost}' from: ${sshConfigPath}`);
     const sshConfigData = parseSSHConfig(sshConfigHost, sshConfigPath);
     if (sshConfigData) {
@@ -1011,6 +1028,27 @@ function resolveSSHConfig() {
     config.proxyJump = process.env.SSH_PROXY_JUMP;
     sources.push("SSH_PROXY_JUMP from environment");
   }
+  const parseNonNegativeInteger = (value, name) => {
+    const parsed = Number(value);
+    if (!Number.isInteger(parsed) || parsed < 0) {
+      throw new Error(`Invalid value for ${name}: "${value}". Expected a non-negative integer.`);
+    }
+    return parsed;
+  };
+  if (args["ssh-keepalive-interval"]) {
+    config.keepaliveInterval = parseNonNegativeInteger(args["ssh-keepalive-interval"], "ssh-keepalive-interval");
+    sources.push("ssh-keepalive-interval from command line");
+  } else if (process.env.SSH_KEEPALIVE_INTERVAL) {
+    config.keepaliveInterval = parseNonNegativeInteger(process.env.SSH_KEEPALIVE_INTERVAL, "SSH_KEEPALIVE_INTERVAL");
+    sources.push("SSH_KEEPALIVE_INTERVAL from environment");
+  }
+  if (args["ssh-keepalive-count-max"]) {
+    config.keepaliveCountMax = parseNonNegativeInteger(args["ssh-keepalive-count-max"], "ssh-keepalive-count-max");
+    sources.push("ssh-keepalive-count-max from command line");
+  } else if (process.env.SSH_KEEPALIVE_COUNT_MAX) {
+    config.keepaliveCountMax = parseNonNegativeInteger(process.env.SSH_KEEPALIVE_COUNT_MAX, "SSH_KEEPALIVE_COUNT_MAX");
+    sources.push("SSH_KEEPALIVE_COUNT_MAX from environment");
+  }
   if (!config.host || !config.username) {
     throw new Error("SSH tunnel configuration requires at least --ssh-host and --ssh-user");
   }
@@ -1090,6 +1128,8 @@ async function resolveSourceConfigs() {
       source.ssh_password = sshResult.config.password;
       source.ssh_key = sshResult.config.privateKey;
       source.ssh_passphrase = sshResult.config.passphrase;
+      source.ssh_keepalive_interval = sshResult.config.keepaliveInterval;
+      source.ssh_keepalive_count_max = sshResult.config.keepaliveCountMax;
     }
     if (dsnResult.isDemo) {
       const { getSqliteInMemorySetupSql } = await import("./demo-loader-PSMTLZ2T.js");
@@ -1112,7 +1152,8 @@ function loadTomlConfig() {
   }
   try {
     const fileContent = fs2.readFileSync(configPath, "utf-8");
-    const parsedToml = toml.parse(fileContent);
+    const rawToml = toml.parse(fileContent);
+    const parsedToml = interpolateEnvVars(rawToml);
     if (!Array.isArray(parsedToml.sources)) {
       throw new Error(
         `Configuration file ${configPath}: must contain a [[sources]] array. Use [[sources]] syntax for array of tables in TOML.`
@@ -1270,6 +1311,31 @@ function validateSourceConfig(source, configPath) {
       );
     }
   }
+  if (source.aws_iam_auth !== void 0 && typeof source.aws_iam_auth !== "boolean") {
+    throw new Error(
+      `Configuration file ${configPath}: source '${source.id}' has invalid aws_iam_auth. Must be a boolean (true or false).`
+    );
+  }
+  if (source.aws_region !== void 0) {
+    if (typeof source.aws_region !== "string" || source.aws_region.trim().length === 0) {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has invalid aws_region. Must be a non-empty string (e.g., "eu-west-1").`
+      );
+    }
+  }
+  if (source.aws_iam_auth === true) {
+    const validIamTypes = ["postgres", "mysql", "mariadb"];
+    if (!source.type || !validIamTypes.includes(source.type)) {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has aws_iam_auth enabled, but this is only supported for postgres, mysql, and mariadb sources.`
+      );
+    }
+    if (!source.aws_region) {
+      throw new Error(
+        `Configuration file ${configPath}: source '${source.id}' has aws_iam_auth enabled but aws_region is not specified.`
+      );
+    }
+  }
   if (source.connection_timeout !== void 0) {
     if (typeof source.connection_timeout !== "number" || source.connection_timeout <= 0) {
       throw new Error(
@@ -1397,9 +1463,29 @@ function processSourceConfigs(sources, configPath) {
     return processed;
   });
 }
+var ENV_VAR_PATTERN = /\$\{([^}]+)\}/g;
+function interpolateEnvVars(value) {
+  if (typeof value === "string") {
+    return value.replace(ENV_VAR_PATTERN, (match, varName) => {
+      const envValue = process.env[varName];
+      return envValue !== void 0 ? envValue : match;
+    });
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => interpolateEnvVars(item));
+  }
+  if (value !== null && typeof value === "object" && Object.getPrototypeOf(value) === Object.prototype) {
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      result[key] = interpolateEnvVars(val);
+    }
+    return result;
+  }
+  return value;
+}
 function expandHomeDir(filePath) {
   if (filePath.startsWith("~/")) {
-    return path2.join(homedir3(), filePath.substring(2));
+    return path2.join(homedir2(), filePath.substring(2));
   }
   return filePath;
 }
@@ -1420,7 +1506,8 @@ function buildDSNFromSource(source) {
     }
     return `sqlite:///${source.database}`;
   }
-  const passwordRequired = source.authentication !== "azure-active-directory-access-token";
+  const isAwsIamPasswordless = source.aws_iam_auth === true && ["postgres", "mysql", "mariadb"].includes(source.type);
+  const passwordRequired = source.authentication !== "azure-active-directory-access-token" && !isAwsIamPasswordless;
   if (!source.host || !source.user || !source.database) {
     throw new Error(
       `Source '${source.id}': missing required connection parameters. Required: type, host, user, database`
@@ -1428,7 +1515,7 @@ function buildDSNFromSource(source) {
   }
   if (passwordRequired && !source.password) {
     throw new Error(
-      `Source '${source.id}': password is required. (Password is optional only for azure-active-directory-access-token authentication)`
+      `Source '${source.id}': password is required. (Password is optional for azure-active-directory-access-token authentication or when aws_iam_auth=true)`
     );
   }
   const port = source.port || getDefaultPortForType(source.type);
@@ -1460,8 +1547,21 @@ function buildDSNFromSource(source) {
   return dsn;
 }
 
+// src/utils/aws-rds-signer.ts
+import { Signer } from "@aws-sdk/rds-signer";
+async function generateRdsAuthToken(params) {
+  const signer = new Signer({
+    hostname: params.hostname,
+    port: params.port,
+    username: params.username,
+    region: params.region
+  });
+  return signer.getAuthToken();
+}
+
 // src/connectors/manager.ts
 var managerInstance = null;
+var AWS_IAM_TOKEN_REFRESH_MS = 14 * 60 * 1e3;
 var ConnectorManager = class {
   // Prevent race conditions
   constructor() {
@@ -1472,6 +1572,8 @@ var ConnectorManager = class {
     // Store original source configs
     this.sourceIds = [];
     // Ordered list of source IDs (first is default)
+    this.iamRefreshTimers = /* @__PURE__ */ new Map();
+    this.isDisconnecting = false;
     // Lazy connection support
     this.lazySources = /* @__PURE__ */ new Map();
     // Sources pending lazy connection
@@ -1561,27 +1663,36 @@ var ConnectorManager = class {
    */
   async connectSource(source) {
     const sourceId = source.id;
-    const dsn = buildDSNFromSource(source);
+    const dsn = await this.buildConnectionDSN(source);
     console.error(`  - ${sourceId}: ${redactDSN(dsn)}`);
     let actualDSN = dsn;
     if (source.ssh_host) {
-      if (!source.ssh_user) {
-        throw new Error(
-          `Source '${sourceId}': SSH tunnel requires ssh_user`
-        );
+      let resolvedSSHConfig = null;
+      if (looksLikeSSHAlias(source.ssh_host)) {
+        const sshConfigPath = getDefaultSSHConfigPath();
+        console.error(`  Resolving SSH config for host '${source.ssh_host}' from: ${sshConfigPath}`);
+        resolvedSSHConfig = parseSSHConfig(source.ssh_host, sshConfigPath);
       }
+      const username = source.ssh_user || resolvedSSHConfig?.username;
       const sshConfig = {
-        host: source.ssh_host,
-        port: source.ssh_port || 22,
-        username: source.ssh_user,
+        host: resolvedSSHConfig?.host || source.ssh_host,
+        port: source.ssh_port || resolvedSSHConfig?.port || 22,
+        username: username || "",
         password: source.ssh_password,
-        privateKey: source.ssh_key,
+        privateKey: source.ssh_key || resolvedSSHConfig?.privateKey,
         passphrase: source.ssh_passphrase,
-        proxyJump: source.ssh_proxy_jump
+        proxyJump: source.ssh_proxy_jump || resolvedSSHConfig?.proxyJump,
+        keepaliveInterval: source.ssh_keepalive_interval,
+        keepaliveCountMax: source.ssh_keepalive_count_max
       };
+      if (!username) {
+        throw new Error(
+          `Source '${sourceId}': SSH tunnel requires ssh_user (or a matching Host entry in ~/.ssh/config with User)`
+        );
+      }
       if (!sshConfig.password && !sshConfig.privateKey) {
         throw new Error(
-          `Source '${sourceId}': SSH tunnel requires either ssh_password or ssh_key`
+          `Source '${sourceId}': SSH tunnel requires either ssh_password or ssh_key (or a matching Host entry in ~/.ssh/config with IdentityFile)`
         );
       }
       const url = new URL(dsn);
@@ -1627,11 +1738,17 @@ var ConnectorManager = class {
       this.sourceIds.push(sourceId);
     }
     this.sourceConfigs.set(sourceId, source);
+    this.scheduleIamRefresh(source);
   }
   /**
    * Close all database connections
    */
   async disconnect() {
+    this.isDisconnecting = true;
+    for (const timer of this.iamRefreshTimers.values()) {
+      clearTimeout(timer);
+    }
+    this.iamRefreshTimers.clear();
     for (const [sourceId, connector] of this.connectors.entries()) {
       try {
         await connector.disconnect();
@@ -1653,6 +1770,7 @@ var ConnectorManager = class {
     this.lazySources.clear();
     this.pendingConnections.clear();
     this.sourceIds = [];
+    this.isDisconnecting = false;
   }
   /**
    * Get a connector by source ID
@@ -1753,63 +1871,317 @@ var ConnectorManager = class {
     }
     return getDefaultPortForType(type) ?? 0;
   }
+  scheduleIamRefresh(source) {
+    if (this.isDisconnecting) {
+      return;
+    }
+    const sourceId = source.id;
+    const existingTimer = this.iamRefreshTimers.get(sourceId);
+    if (existingTimer) {
+      clearTimeout(existingTimer);
+      this.iamRefreshTimers.delete(sourceId);
+    }
+    if (!source.aws_iam_auth) {
+      return;
+    }
+    const timer = setTimeout(async () => {
+      if (this.isDisconnecting) {
+        return;
+      }
+      try {
+        await this.refreshIamSourceConnection(source);
+      } catch (error) {
+        console.error(
+          `Error refreshing AWS IAM auth token for source '${sourceId}':`,
+          error
+        );
+      } finally {
+        if (!this.isDisconnecting && this.sourceConfigs.has(sourceId)) {
+          this.scheduleIamRefresh(source);
+        }
+      }
+    }, AWS_IAM_TOKEN_REFRESH_MS);
+    timer.unref?.();
+    this.iamRefreshTimers.set(sourceId, timer);
+  }
+  async refreshIamSourceConnection(source) {
+    const sourceId = source.id;
+    if (this.isDisconnecting || !source.aws_iam_auth || !this.connectors.has(sourceId)) {
+      return;
+    }
+    console.error(`Refreshing AWS IAM auth connection for source '${sourceId}'...`);
+    const existingConnector = this.connectors.get(sourceId);
+    if (existingConnector) {
+      await existingConnector.disconnect();
+      this.connectors.delete(sourceId);
+    }
+    const existingTunnel = this.sshTunnels.get(sourceId);
+    if (existingTunnel) {
+      await existingTunnel.close();
+      this.sshTunnels.delete(sourceId);
+    }
+    if (this.isDisconnecting) {
+      return;
+    }
+    await this.connectSource(source);
+  }
+  /**
+   * Build a connection DSN, optionally replacing password with
+   * an AWS RDS IAM auth token when aws_iam_auth is enabled.
+   */
+  async buildConnectionDSN(source) {
+    const dsn = buildDSNFromSource(source);
+    if (!source.aws_iam_auth) {
+      return dsn;
+    }
+    const supportedIamTypes = ["postgres", "mysql", "mariadb"];
+    if (!source.type || !supportedIamTypes.includes(source.type)) {
+      throw new Error(
+        `Source '${source.id}': aws_iam_auth is only supported for postgres, mysql, and mariadb`
+      );
+    }
+    if (!source.aws_region) {
+      throw new Error(
+        `Source '${source.id}': aws_region is required when aws_iam_auth is enabled`
+      );
+    }
+    const parsed = new SafeURL(dsn);
+    const hostname = parsed.hostname;
+    const username = source.user || parsed.username;
+    const defaultPort = getDefaultPortForType(source.type);
+    const port = parsed.port ? parseInt(parsed.port) : defaultPort;
+    if (!hostname || !username || !port) {
+      throw new Error(
+        `Source '${source.id}': unable to resolve host, username, or port for AWS IAM authentication`
+      );
+    }
+    const token = await generateRdsAuthToken({
+      hostname,
+      port,
+      username,
+      region: source.aws_region
+    });
+    const queryParams = new Map(parsed.searchParams);
+    queryParams.set("sslmode", "require");
+    const protocol = parsed.protocol.endsWith(":") ? parsed.protocol.slice(0, -1) : parsed.protocol;
+    const encodedUser = encodeURIComponent(username);
+    const encodedToken = encodeURIComponent(token);
+    const path3 = parsed.pathname || "/";
+    const query = Array.from(queryParams.entries()).map(
+      ([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`
+    ).join("&");
+    return `${protocol}://${encodedUser}:${encodedToken}@${hostname}:${port}${path3}${query ? `?${query}` : ""}`;
+  }
 };
 
 // src/utils/sql-parser.ts
-function stripCommentsAndStrings(sql) {
-  let result = "";
+var TokenType = { Plain: 0, Comment: 1, QuotedBlock: 2 };
+function plainToken(i) {
+  return { type: TokenType.Plain, end: i + 1 };
+}
+function scanSingleLineComment(sql, i) {
+  if (sql[i] !== "-" || sql[i + 1] !== "-") {
+    return null;
+  }
+  let j = i;
+  while (j < sql.length && sql[j] !== "\n") {
+    j++;
+  }
+  return { type: TokenType.Comment, end: j };
+}
+function scanMultiLineComment(sql, i) {
+  if (sql[i] !== "/" || sql[i + 1] !== "*") {
+    return null;
+  }
+  let j = i + 2;
+  while (j < sql.length && !(sql[j] === "*" && sql[j + 1] === "/")) {
+    j++;
+  }
+  if (j < sql.length) {
+    j += 2;
+  }
+  return { type: TokenType.Comment, end: j };
+}
+function scanNestedMultiLineComment(sql, i) {
+  if (sql[i] !== "/" || sql[i + 1] !== "*") {
+    return null;
+  }
+  let j = i + 2;
+  let depth = 1;
+  while (j < sql.length && depth > 0) {
+    if (sql[j] === "/" && sql[j + 1] === "*") {
+      depth++;
+      j += 2;
+    } else if (sql[j] === "*" && sql[j + 1] === "/") {
+      depth--;
+      j += 2;
+    } else {
+      j++;
+    }
+  }
+  return { type: TokenType.Comment, end: j };
+}
+function scanSingleQuotedString(sql, i) {
+  if (sql[i] !== "'") {
+    return null;
+  }
+  let j = i + 1;
+  while (j < sql.length) {
+    if (sql[j] === "'" && sql[j + 1] === "'") {
+      j += 2;
+    } else if (sql[j] === "'") {
+      j++;
+      break;
+    } else {
+      j++;
+    }
+  }
+  return { type: TokenType.QuotedBlock, end: j };
+}
+function scanDoubleQuotedString(sql, i) {
+  if (sql[i] !== '"') {
+    return null;
+  }
+  let j = i + 1;
+  while (j < sql.length) {
+    if (sql[j] === '"' && sql[j + 1] === '"') {
+      j += 2;
+    } else if (sql[j] === '"') {
+      j++;
+      break;
+    } else {
+      j++;
+    }
+  }
+  return { type: TokenType.QuotedBlock, end: j };
+}
+var dollarQuoteOpenRegex = /^\$([a-zA-Z_]\w*)?\$/;
+function scanDollarQuotedBlock(sql, i) {
+  if (sql[i] !== "$") {
+    return null;
+  }
+  const next = sql[i + 1];
+  if (next >= "0" && next <= "9") {
+    return null;
+  }
+  const remaining = sql.substring(i);
+  const m = dollarQuoteOpenRegex.exec(remaining);
+  if (!m) {
+    return null;
+  }
+  const tag = m[0];
+  const bodyStart = i + tag.length;
+  const closeIdx = sql.indexOf(tag, bodyStart);
+  const end = closeIdx !== -1 ? closeIdx + tag.length : sql.length;
+  return { type: TokenType.QuotedBlock, end };
+}
+function scanBacktickQuotedIdentifier(sql, i) {
+  if (sql[i] !== "`") {
+    return null;
+  }
+  let j = i + 1;
+  while (j < sql.length) {
+    if (sql[j] === "`" && sql[j + 1] === "`") {
+      j += 2;
+    } else if (sql[j] === "`") {
+      j++;
+      break;
+    } else {
+      j++;
+    }
+  }
+  return { type: TokenType.QuotedBlock, end: j };
+}
+function scanBracketQuotedIdentifier(sql, i) {
+  if (sql[i] !== "[") {
+    return null;
+  }
+  let j = i + 1;
+  while (j < sql.length) {
+    if (sql[j] === "]" && sql[j + 1] === "]") {
+      j += 2;
+    } else if (sql[j] === "]") {
+      j++;
+      break;
+    } else {
+      j++;
+    }
+  }
+  return { type: TokenType.QuotedBlock, end: j };
+}
+function scanTokenAnsi(sql, i) {
+  return scanSingleLineComment(sql, i) ?? scanMultiLineComment(sql, i) ?? scanSingleQuotedString(sql, i) ?? scanDoubleQuotedString(sql, i) ?? plainToken(i);
+}
+function scanTokenPostgres(sql, i) {
+  return scanSingleLineComment(sql, i) ?? scanNestedMultiLineComment(sql, i) ?? scanSingleQuotedString(sql, i) ?? scanDoubleQuotedString(sql, i) ?? scanDollarQuotedBlock(sql, i) ?? plainToken(i);
+}
+function scanTokenMySQL(sql, i) {
+  return scanSingleLineComment(sql, i) ?? scanMultiLineComment(sql, i) ?? scanSingleQuotedString(sql, i) ?? scanDoubleQuotedString(sql, i) ?? scanBacktickQuotedIdentifier(sql, i) ?? plainToken(i);
+}
+function scanTokenSQLite(sql, i) {
+  return scanSingleLineComment(sql, i) ?? scanMultiLineComment(sql, i) ?? scanSingleQuotedString(sql, i) ?? scanDoubleQuotedString(sql, i) ?? scanBacktickQuotedIdentifier(sql, i) ?? scanBracketQuotedIdentifier(sql, i) ?? plainToken(i);
+}
+function scanTokenSQLServer(sql, i) {
+  return scanSingleLineComment(sql, i) ?? scanMultiLineComment(sql, i) ?? scanSingleQuotedString(sql, i) ?? scanDoubleQuotedString(sql, i) ?? scanBracketQuotedIdentifier(sql, i) ?? plainToken(i);
+}
+var dialectScanners = {
+  postgres: scanTokenPostgres,
+  mysql: scanTokenMySQL,
+  mariadb: scanTokenMySQL,
+  sqlite: scanTokenSQLite,
+  sqlserver: scanTokenSQLServer
+};
+function getScanner(dialect) {
+  return dialect ? dialectScanners[dialect] ?? scanTokenAnsi : scanTokenAnsi;
+}
+function stripCommentsAndStrings(sql, dialect) {
+  const scanToken = getScanner(dialect);
+  const parts = [];
+  let plainStart = -1;
   let i = 0;
   while (i < sql.length) {
-    if (sql[i] === "-" && sql[i + 1] === "-") {
-      while (i < sql.length && sql[i] !== "\n") {
-        i++;
+    const token = scanToken(sql, i);
+    if (token.type === TokenType.Plain) {
+      if (plainStart === -1) {
+        plainStart = i;
       }
-      result += " ";
-      continue;
-    }
-    if (sql[i] === "/" && sql[i + 1] === "*") {
-      i += 2;
-      while (i < sql.length && !(sql[i] === "*" && sql[i + 1] === "/")) {
-        i++;
+    } else {
+      if (plainStart !== -1) {
+        parts.push(sql.substring(plainStart, i));
+        plainStart = -1;
       }
-      i += 2;
-      result += " ";
-      continue;
+      parts.push(" ");
     }
-    if (sql[i] === "'") {
-      i++;
-      while (i < sql.length) {
-        if (sql[i] === "'" && sql[i + 1] === "'") {
-          i += 2;
-        } else if (sql[i] === "'") {
-          i++;
-          break;
-        } else {
-          i++;
-        }
+    i = token.end;
+  }
+  if (plainStart !== -1) {
+    parts.push(sql.substring(plainStart));
+  }
+  return parts.join("");
+}
+function splitSQLStatements(sql, dialect) {
+  const scanToken = getScanner(dialect);
+  const statements = [];
+  let stmtStart = 0;
+  let i = 0;
+  while (i < sql.length) {
+    if (sql[i] === ";") {
+      const trimmed2 = sql.substring(stmtStart, i).trim();
+      if (trimmed2.length > 0) {
+        statements.push(trimmed2);
       }
-      result += " ";
-      continue;
-    }
-    if (sql[i] === '"') {
+      stmtStart = i + 1;
       i++;
-      while (i < sql.length) {
-        if (sql[i] === '"' && sql[i + 1] === '"') {
-          i += 2;
-        } else if (sql[i] === '"') {
-          i++;
-          break;
-        } else {
-          i++;
-        }
-      }
-      result += " ";
       continue;
     }
-    result += sql[i];
-    i++;
+    const token = scanToken(sql, i);
+    i = token.end;
+  }
+  const trimmed = sql.substring(stmtStart).trim();
+  if (trimmed.length > 0) {
+    statements.push(trimmed);
   }
-  return result;
+  return statements;
 }
 
 // src/utils/parameter-mapper.ts
@@ -2145,12 +2517,15 @@ export {
   getDatabaseTypeFromDSN,
   getDefaultPortForType,
   stripCommentsAndStrings,
+  splitSQLStatements,
   isDemoMode,
   resolveTransport,
   resolvePort,
   resolveSourceConfigs,
   BUILTIN_TOOL_EXECUTE_SQL,
   BUILTIN_TOOL_SEARCH_OBJECTS,
+  loadTomlConfig,
+  resolveTomlConfigPath,
   ConnectorManager,
   mapArgumentsToArray,
   ToolRegistry,

package/dist/index.js

@@ -8,15 +8,19 @@ import {
   getDatabaseTypeFromDSN,
   getDefaultPortForType,
   getToolRegistry,
+  initializeToolRegistry,
   isDemoMode,
+  loadTomlConfig,
   mapArgumentsToArray,
   obfuscateDSNPassword,
   parseConnectionInfoFromDSN,
   resolvePort,
   resolveSourceConfigs,
+  resolveTomlConfigPath,
   resolveTransport,
+  splitSQLStatements,
   stripCommentsAndStrings
-} from "./chunk-YKDZH7G5.js";
+} from "./chunk-LUNM7TUY.js";
 
 // src/connectors/postgres/index.ts
 import pg from "pg";
@@ -585,7 +589,7 @@ var PostgresConnector = class _PostgresConnector {
     }
     const client = await this.pool.connect();
     try {
-      const statements = sql2.split(";").map((statement) => statement.trim()).filter((statement) => statement.length > 0);
+      const statements = splitSQLStatements(sql2, "postgres");
       if (statements.length === 1) {
         const processedStatement = SQLRowLimiter.applyMaxRows(statements[0], options.maxRows);
         let result;
@@ -1332,7 +1336,7 @@ var SQLiteConnector = class _SQLiteConnector {
       throw new Error("Not connected to SQLite database");
     }
     try {
-      const statements = sql2.split(";").map((statement) => statement.trim()).filter((statement) => statement.length > 0);
+      const statements = splitSQLStatements(sql2, "sqlite");
       if (statements.length === 1) {
         let processedStatement = statements[0];
         const trimmedStatement = statements[0].toLowerCase().trim();
@@ -1878,7 +1882,7 @@ var MySQLConnector = class _MySQLConnector {
     try {
       let processedSQL = sql2;
       if (options.maxRows) {
-        const statements = sql2.split(";").map((statement) => statement.trim()).filter((statement) => statement.length > 0);
+        const statements = splitSQLStatements(sql2, "mysql");
         const processedStatements = statements.map(
           (statement) => SQLRowLimiter.applyMaxRows(statement, options.maxRows)
         );
@@ -2325,7 +2329,7 @@ var MariaDBConnector = class _MariaDBConnector {
     try {
       let processedSQL = sql2;
       if (options.maxRows) {
-        const statements = sql2.split(";").map((statement) => statement.trim()).filter((statement) => statement.length > 0);
+        const statements = splitSQLStatements(sql2, "mariadb");
         const processedStatements = statements.map(
           (statement) => SQLRowLimiter.applyMaxRows(statement, options.maxRows)
         );
@@ -2428,7 +2432,7 @@ var allowedKeywords = {
   sqlserver: ["select", "with", "explain", "showplan"]
 };
 function isReadOnlySQL(sql2, connectorType) {
-  const cleanedSQL = stripCommentsAndStrings(sql2).trim().toLowerCase();
+  const cleanedSQL = stripCommentsAndStrings(sql2, connectorType).trim().toLowerCase();
   if (!cleanedSQL) {
     return true;
   }
@@ -2521,11 +2525,8 @@ function trackToolRequest(metadata, startTime, extra, success, error) {
 var executeSqlSchema = {
   sql: z.string().describe("SQL to execute (multiple statements separated by ;)")
 };
-function splitSQLStatements(sql2) {
-  return sql2.split(";").map((statement) => statement.trim()).filter((statement) => statement.length > 0);
-}
 function areAllStatementsReadOnly(sql2, connectorType) {
-  const statements = splitSQLStatements(sql2);
+  const statements = splitSQLStatements(sql2, connectorType);
   return statements.every((statement) => isReadOnlySQL(statement, connectorType));
 }
 function createExecuteSqlToolHandler(sourceId) {
@@ -3555,6 +3556,95 @@ function buildSourceDisplayInfo(sourceConfigs, getToolsForSource2, isDemo) {
   });
 }
 
+// src/utils/config-watcher.ts
+import fs from "fs";
+var DEBOUNCE_MS = 500;
+function startConfigWatcher(options) {
+  const { connectorManager, initialTools } = options;
+  const configPath = resolveTomlConfigPath();
+  if (!configPath) {
+    return null;
+  }
+  let debounceTimer = null;
+  let isReloading = false;
+  let reloadPending = false;
+  let lastGoodSources = connectorManager.getAllSourceConfigs();
+  let lastGoodTools = initialTools;
+  const scheduleReload = () => {
+    if (debounceTimer) {
+      clearTimeout(debounceTimer);
+    }
+    debounceTimer = setTimeout(reload, DEBOUNCE_MS);
+  };
+  const reload = async () => {
+    if (isReloading) {
+      reloadPending = true;
+      return;
+    }
+    isReloading = true;
+    reloadPending = false;
+    try {
+      console.error(`
+Detected change in ${configPath}, reloading configuration...`);
+      const newConfig = loadTomlConfig();
+      if (!newConfig) {
+        console.error("Config reload: failed to load TOML config, keeping existing connections.");
+        return;
+      }
+      const oldSources = lastGoodSources;
+      const oldTools = lastGoodTools;
+      await connectorManager.disconnect();
+      try {
+        await connectorManager.connectWithSources(newConfig.sources);
+        initializeToolRegistry({
+          sources: newConfig.sources,
+          tools: newConfig.tools
+        });
+        lastGoodSources = newConfig.sources;
+        lastGoodTools = newConfig.tools;
+        console.error("Configuration reloaded successfully.");
+      } catch (connectError) {
+        console.error("Failed to connect with new config, rolling back:", connectError);
+        try {
+          await connectorManager.disconnect();
+        } catch {
+        }
+        try {
+          await connectorManager.connectWithSources(oldSources);
+          initializeToolRegistry({ sources: oldSources, tools: oldTools });
+          console.error("Rolled back to previous configuration.");
+        } catch (rollbackError) {
+          console.error("Rollback also failed, server has no active connections:", rollbackError);
+        }
+      }
+    } catch (error) {
+      console.error("Config reload failed, keeping existing connections:", error);
+    } finally {
+      isReloading = false;
+      if (reloadPending) {
+        reloadPending = false;
+        scheduleReload();
+      }
+    }
+  };
+  const watcher = fs.watch(configPath, (eventType) => {
+    if (eventType === "change") {
+      scheduleReload();
+    }
+  });
+  watcher.unref?.();
+  watcher.on("error", (err) => {
+    console.error("Config file watcher error:", err);
+  });
+  console.error(`Watching ${configPath} for changes (hot reload enabled)`);
+  return () => {
+    if (debounceTimer) {
+      clearTimeout(debounceTimer);
+    }
+    watcher.close();
+  };
+}
+
 // src/server.ts
 var __filename = fileURLToPath(import.meta.url);
 var __dirname = path.dirname(__filename);
@@ -3607,12 +3697,16 @@ See documentation for more details on configuring database connections.
     const sources = sourceConfigsData.sources;
     console.error(`Configuration source: ${sourceConfigsData.source}`);
     await connectorManager.connectWithSources(sources);
-    const { initializeToolRegistry } = await import("./registry-7HJVUJCM.js");
-    initializeToolRegistry({
+    const { initializeToolRegistry: initializeToolRegistry2 } = await import("./registry-6VNMKD6G.js");
+    initializeToolRegistry2({
       sources: sourceConfigsData.sources,
       tools: sourceConfigsData.tools
     });
     console.error("Tool registry initialized");
+    const stopConfigWatcher = startConfigWatcher({
+      connectorManager,
+      initialTools: sourceConfigsData.tools
+    });
     const createServer = () => {
       const server = new McpServer({
         name: SERVER_NAME,
@@ -3640,6 +3734,9 @@ See documentation for more details on configuring database connections.
       isDemo
     );
     console.error(generateStartupTable(sourceDisplayInfos));
+    process.on("exit", () => {
+      stopConfigWatcher?.();
+    });
     if (transportData.type === "http") {
       const app = express();
       app.use(express.json());

package/dist/{registry-7HJVUJCM.js → registry-6VNMKD6G.js}

@@ -2,7 +2,7 @@ import {
   ToolRegistry,
   getToolRegistry,
   initializeToolRegistry
-} from "./chunk-YKDZH7G5.js";
+} from "./chunk-LUNM7TUY.js";
 export {
   ToolRegistry,
   getToolRegistry,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bytebase/dbhub",
-  "version": "0.17.0",
+  "version": "0.19.0",
   "mcpName": "io.github.bytebase/dbhub",
   "description": "Minimal, token-efficient Database MCP Server for PostgreSQL, MySQL, SQL Server, SQLite, MariaDB",
   "repository": {
@@ -32,10 +32,14 @@
     "test:watch": "vitest",
     "test:integration": "vitest run --project integration"
   },
+  "engines": {
+    "node": ">=20"
+  },
   "keywords": [],
   "author": "",
   "license": "MIT",
   "dependencies": {
+    "@aws-sdk/rds-signer": "^3.1001.0",
     "@azure/identity": "^4.8.0",
     "@iarna/toml": "^2.2.5",
     "@modelcontextprotocol/sdk": "^1.25.1",